BID:24000

Libpng Library Remote Denial of Service Vulnerability

Info

Libpng Library Remote Denial of Service Vulnerability

Bugtraq ID:	24000
Class:	Design Error
CVE:	CVE-2007-2445
Remote:	Yes
Local:	No
Published:	May 15 2007 12:00AM
Updated:	Mar 23 2009 03:56PM
Credit:	The vendor reported this issue.
Vulnerable:	Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Turbolinux Turbolinux Server 10.0 x86 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 10.0.0 x64 Turbolinux Turbolinux Desktop 10.0 Turbolinux Turbolinux FUJI Turbolinux Turbolinux 10 F... TurboLinux Personal TurboLinux Multimedia Turbolinux Home Turbolinux FUJI 0 Turbolinux Appliance Server Workgroup Edition 1.0 Turbolinux Appliance Server Hosting Edition 1.0 Turbolinux Appliance Server 1.0 Workgroup Edition Turbolinux Appliance Server 1.0 Hosting Edition Turbolinux Appliance Server 2.0 TransSoft Broker FTP Server 8.0 Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 10_x86 Sun Solaris 10 SGI ProPack 3.0 SP6 rPath rPath Linux 1 Redhat Fedora Core6 Redhat Fedora Core5 Redhat Enterprise Linux WS 4 Redhat Enterprise Linux WS 3 Redhat Enterprise Linux WS 2.1 IA64 Redhat Enterprise Linux WS 2.1 Redhat Enterprise Linux Virtualization 5 Server Redhat Enterprise Linux Supplementary 5 server Redhat Enterprise Linux Optional Productivity Application 5 server Redhat Enterprise Linux Hardware Certification 5 Redhat Enterprise Linux ES 4 Redhat Enterprise Linux ES 3 Redhat Enterprise Linux ES 2.1 IA64 Redhat Enterprise Linux ES 2.1 Redhat Enterprise Linux Desktop Workstation 5 client Redhat Enterprise Linux Desktop Supplementary 5 client Redhat Enterprise Linux Desktop Multi OS 5 client Redhat Enterprise Linux Desktop 5 client Redhat Enterprise Linux Clustering 5 server Redhat Enterprise Linux Cluster-Storage 5 server Redhat Enterprise Linux AS 4 Redhat Enterprise Linux AS 3 Redhat Enterprise Linux AS 2.1 IA64 Redhat Enterprise Linux AS 2.1 Redhat Enterprise Linux Desktop version 4 Redhat Enterprise Linux 5 Server Redhat Desktop 4.0 Redhat Desktop 3.0 Redhat Advanced Workstation for the Itanium Processor 2.1 IA64 Redhat Advanced Workstation for the Itanium Processor 2.1 OpenPKG OpenPKG E1.0-Solid OpenPKG OpenPKG Current Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 Linux Terminal Server Project Linux Terminal Server Project 4.2 libpng libpng3 1.2.12 libpng libpng3 1.2.11 libpng libpng3 1.2.10 libpng libpng3 1.2.8 + Slackware Linux 10.2 + Slackware Linux 10.1 + Slackware Linux 10.1 + Trustix Secure Linux 3.0.5 + Trustix Secure Linux 3.0 + Trustix Secure Linux 2.2 libpng libpng3 1.2.7 + Trustix Secure Enterprise Linux 2.0 libpng libpng3 1.2.5 + Gentoo Linux 1.4 _rc1 + Gentoo Linux 1.4 _rc1 + Gentoo Linux 1.2 + Gentoo Linux 1.2 + Mandriva Linux Mandrake 10.0 AMD64 + Mandriva Linux Mandrake 10.0 AMD64 + Mandriva Linux Mandrake 10.0 + Mandriva Linux Mandrake 10.0 + Mandriva Linux Mandrake 9.2 amd64 + Mandriva Linux Mandrake 9.2 amd64 + Mandriva Linux Mandrake 9.2 + Mandriva Linux Mandrake 9.2 + Mandriva Linux Mandrake 9.1 ppc + Mandriva Linux Mandrake 9.1 ppc + Mandriva Linux Mandrake 9.1 + Mandriva Linux Mandrake 9.1 + Redhat Fedora Core1 + Slackware Linux 10.0 + Slackware Linux 9.1 + Slackware Linux 9.1 + Slackware Linux 9.0 + Slackware Linux 9.0 + Slackware Linux -current + Slackware Linux -current + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia32 + Ubuntu Ubuntu Linux 4.1 ia32 libpng libpng3 1.2.1 + Debian Linux 3.0 + Debian Linux 3.0 + Mandriva Linux Mandrake 8.2 ppc + Mandriva Linux Mandrake 8.2 + Mandriva Linux Mandrake 8.2 + Slackware Linux 8.1 libpng libpng3 1.2 .0 libpng libpng 1.0.18 libpng libpng 1.0.17 libpng libpng 1.0.16 libpng libpng 1.0.15 libpng libpng 1.0.14 libpng libpng 1.0.13 libpng libpng 1.0.12 libpng libpng 1.0.11 libpng libpng 1.0.10 + SuSE Linux 7.2 libpng libpng 1.0.9 + Mandriva Linux Mandrake 8.0 ppc + Mandriva Linux Mandrake 8.0 libpng libpng 1.0.8 libpng libpng 1.0.7 libpng libpng 1.0.6 libpng libpng 1.0.5 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 IA-32 + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + MandrakeSoft Corporate Server 1.0.1 + Mandriva Linux Mandrake 7.1 libpng libpng 1.0 libpng libpng 0.90 Irrlicht Engine Irrlicht Engine 1.3 Irrlicht Engine Irrlicht Engine 1.2 Irrlicht Engine Irrlicht Engine 1.1 Google Android Software Development Kit (SDK) m3-rc37a Gentoo Linux Foresight Linux Foresight Linux 1.1 Debian Linux 5.0 sparc Debian Linux 5.0 s/390 Debian Linux 5.0 powerpc Debian Linux 5.0 mipsel Debian Linux 5.0 mips Debian Linux 5.0 m68k Debian Linux 5.0 ia-64 Debian Linux 5.0 ia-32 Debian Linux 5.0 hppa Debian Linux 5.0 armel Debian Linux 5.0 arm Debian Linux 5.0 amd64 Debian Linux 5.0 alpha Debian Linux 5.0 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 armel Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Avaya SES 3.1.1 Avaya SES 3.0 Avaya SES 2.0 Avaya Messaging Storage Server MSS 3.0 Avaya Messaging Storage Server MM3.0 Avaya Messaging Storage Server 2.0 Avaya Messaging Storage Server 1.0 Avaya Messaging Storage Server Avaya Message Networking MN 3.1 Avaya Message Networking Avaya Communication Manager 2.0.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 + Avaya Communication Manager Server S8700 Avaya Communication Manager 2.0 Avaya CCS 3.1.1 Avaya CCS 3.0 Avaya CCS 2.0 Avaya Aura Application Enablement Services 3.1.3 Apple Mac OS X Server 10.5.2 Apple Mac OS X 10.5.2

Not Vulnerable:	Linux Terminal Server Project Linux Terminal Server Project 5.0 libpng libpng 1.2.17 libpng libpng 1.0.25 Irrlicht Engine Irrlicht Engine 1.3.1 Google Android Software Development Kit (SDK) m5-rc15

Discussion

Libpng Library Remote Denial of Service Vulnerability

The 'libpng' library is prone to a remote denial-of-service vulnerability because the library fails to handle malicious PNG files.

Successful exploits may allow remote attackers to cause denial-of-service conditions on computers running the affected library.

This issue affects 'libpng' 1.2.16 and prior versions.

Exploit / POC

Libpng Library Remote Denial of Service Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Solution / Fix

Libpng Library Remote Denial of Service Vulnerability

Solution:
Vendor advisories are available. Please see the references for details.

Debian Linux 5.0 alpha